Stuxnet Had Earlier, Potentially Explosive Version, Symantec Says

Photograph by Vahid Salemi/AP Photo

A technician works at the Uranium Conversion Facility outside the city of Isfahan, Iran, in 2007.

The developers behind Stuxnet, the computer worm that damaged an Iranian nuclear plant in 2010, began their work on the malware earlier than previously known and experimented with multiple attack techniques, according to new research by Symantec Corp.

Stuxnet, which tampered with the speed of centrifuges, was preceded by a version in development as early as 2005 that was designed to manipulate the nuclear facility’s  gas valves, according to Francis deSouza, Symantec’s president of products and services. That ability could cause an explosion, he said.

The computer attack in 2010 was one of the first known examples of a cyber weapon used to destroy physical infrastructure. The programming code, which was developed by the United States and Israel, took out nearly 1,000 of the 5,000 centrifuges that Iran used to purify uranium by altering the speed of the machines, the New York Times reported.

“It looks like now the weapon tried a few things before it hit on what would actually work,”‘ deSouza said in an interview. “It is clear that this has been a sophisticated effort for longer than people thought.”

Mountain View, California-based Symantec, the world’s biggest computer-security software maker, found a sample of what it calls Stuxnet 0.5, the earliest known version of the computer worm.

Based on an analysis of the code, it was in the wild in November 2007 and in development at least two years before that. It was submitted to Symantec as part of a malware-scanning service, and deSouza would not identify the organization that submitted it. It was unclear if the code was ever activated in the wild, deSouza said.

The biggest change between the two versions was the earlier code had the ability to shut critical gas valves inside Iran’s uranium enrichment system, which could increase pressure and potentially cause an explosion, Symantec said. The later version of Stuxnet that damaged the Iranian facility did not have that ability and was replaced with the capacity to alter the speed of Iran’s centrifuges, deSouza said.

The findings, announced today at the RSA security conference in San Francisco, come amid recent reports of U.S. companies battling computer attacks from abroad, including Eastern Europe and China.


What do you think about this article? Comment below!